Adding advanced authentication
Only when you understand the basics of authentication do you realize what "advanced" logon methods -- such as smartcards, biometrics, and other two-factor mechanisms -- can and can't give you.
Basically, these advanced methods prevent a bad actor from easily logging in or authenticating as a specific identity. It's harder for the malicious person to be identified as someone he or she is not. Advanced authentication mechanisms are great for meeting these types of challenges and defeating hackers, simply because it takes more effort for a hacker to defeat a biometric or two-factor authentication method than just stealing or hacking a password.
But advanced authentication won't prevent all hacking. For instance, I've encountered customers who mistakenly believe that smartcards will prevent hackers from penetrating their network. If the attacker can get onto a computer as local administrator (or root) using some other method, they can steal the ultimate authenticator and begin to impersonate the true owner. On Windows, an elevated hacker can steal a smartcard user's password hash and use NTLM or Kerberos to authenticate as that smartcard user to other computers.
The original Windows computer that was hacked was responsible for authenticating the smartcard user and requiring a valid smartcard logon. But once a smartcard user has been authenticated, his or her identity has been accepted, and the traditional authentication protocols kick in. The user's identity is represented by password hashes or Kerberos tokens. Smartcard users may have their identities "stolen" and used on a network, even if the hacker doesn't have their smartcards or PINs. Neither smartcards nor two-factor mechanisms nor biometrics can prevent stolen authentication credential assaults such as pass-the-hash attacks.
I help clients install advanced authentication techniques all the time, but I make sure not to oversell the protection they provide. They beat passwords in most use cases, but they're no panacea and won't solve every hacker-related problem.
This story, "Advanced authentication can't cure all security ills," was originally published at InfoWorld.com. Keep up on the latest developments in network security and read more of Roger Grimes' Security Adviser blog at InfoWorld.com. For the latest business technology news, follow InfoWorld.com on Twitter.